Background information
- Date of final decision: 29 April 2024
- National case
- Legal Reference (s): Article 24 (Responsibility of the controller), Article 25 (Data protection by design and by default), Article 32 (Security of processing), Article 5 (Principles relating to processing of personal data)
- Decision: Administrative fine, Compliance order
- Key words: Administrative fine, Data subject rights, Personal data breach, Principles relating to processing of personal data, Data security, Responsibility of the controller
Summary of the Decision
Origin of the case
An employee of the catering company Res-Gastro M. Gaweł Sp. k. from Kolbuszowa in the Podkarpacie region, lost a flash drive with personal data. The President of the Personal Data Protection Office determined that the manner of processing personal data in this company was inconsistent with the applicable provisions of the GDPR, due to an incorrectly conducted risk analysis, which did not foresee the risk of losing the data carrier.
There were unencrypted files containing personal data of another employee, namely name and surname, address, citizenship, gender, date of birth, personal identification number (PESEL number), passport series and number, telephone number, e-mail address, photos and data on the amount of earnings. The flash drive also contained encrypted files with financial data.
Key Findings
In the course of the proceedings, the company demonstrated that it had documents such as a risk register or confirmations of monitoring of GDPR procedures. However, the rules for using external data carriers, including their encryption, turned out to be a problem. The company informed employees on how to encrypt files in an instructional video. And this, as the Personal Data Protection Office noted, shifted the responsibility for the way data is processed onto them.
The President of the Personal Data Protection Office found that the company misjudged the risk to the data. It was assumed that data carriers could be stolen or destroyed – but it was not taken into account that the medium could simply be lost without bad intentions.
In addition, despite the assumption of various events, cryptographic solutions for the protection of personal data on external media have not been implemented. An instructional video "how to encrypt files on a flash drive and what program to use for this purpose" is not enough in view of the scope of data processed on such media.
Another problem was that the company had failed to regularly measure, test and evaluate the effectiveness of the security measures in place.
Decision
The company itself informed about the incident, and during the proceedings it cooperated with the President of the Personal Data Protection Office, which had a significant impact on the final fine. If it were not for this, the fine would be much higher. The amount of the fine is also inter alia the result of the company's high turnover.
The President of the Personal Data Protection Office imposed a fine of 54 600 € on Res-Gastro for infringement of Articles 5, 24, 25 and 32 of the GDPR. What is more, appropriate organisational and technical measures should be taken to ensure secure data processing.
Further information:
- Decision in national language (Polish)